New Premium Trojan Ups Ante

Tuesday, November 22, 2011 @ 01:11 PM gHale

After researchers discovered “OpFake,” a mobile Trojan that shares code with “Spitmo,” a newcomer “SymbOS/ConBot” also has the same characteristics.

The premium SMS sender has a pretty sophisticated way of functioning, but unlike OpFake, it doesn’t rely on fake Opera updates to perform his evil missions, said researchers at F-Secure.

U.S. Satellites Hacked
Rootkit, Trojan Unite
Busted: Ghost Click Nets Six
Malware Thrives, Remains Undetected

Found on a Russian domain, the first and only known instance of ConBot relies on Spitmo’s source code, but unlike OpFake, it doesn’t add an icon to the application menu, which makes it harder to detect.

Since it doesn’t alert the user of its presence in any way, researchers said it may end up looking like a “security certificate update.”

ConBot.A contains a package called SystemService that includes another package called AppBot. The latter’s executable file automatically runs each time the phone starts because of an .rsc file.

Once executed, it decrypts a file named SystemService.boot which points to c:\sys\bin\SystemService.exe, the file that actually contains the payload.

After collecting all the phone numbers it can find on the device, ConBot sends them, along with the phone’s IMEI number, to a remote server hosted on the same Russian domain. In return, the server sends the infected machine an XML file that contains instructions on where to send the SMS messages.

Besides this, it also monitors closely all incoming messages, deleting some of them if they meet certain conditions.

Even though this function is similar to Spitmo.A and OpFake.A, the certificate it signs itself with is not the same as OpFake’s.

An interesting thing about ConBot is it can update the C&C server with a text message, which means if the command and control server falls, it doesn’t necessarily mean the botnet will also.

Leave a Reply

You must be logged in to post a comment.